Retailers’ Data Under Siege … Again

Retailers large and small have taken it on the chin from hackers again this year. In addition to ongoing credit card scraping attacks on point-of-sale systems, this year brought an onslaught of successful phishing data attacks targeting W-2 documents with employees’ tax and identity information. One recent example was Sprouts, a Phoenix-based supermarket chain with about 21,000 employees and 200 stores. It joined Advance Auto Parts, payday lending firm Moneytree, the Milwaukee Bucks, smaller firms like 14-store Kids Dental Kare in Los Angeles, and dozens of other companies as victims of this attack.

W-2 document security was a problem across every industry. Hackers use information in the stolen tax forms such as social security numbers, income and withholding to file fraudulent tax returns with the IRS. The odds favor the hackers. According to the IRS, this crime worked 22 percent of the time and resulted in more than 100,000 successful e-file PIN creations out of about 500,000 stolen documents.

From the hackers’ perspectives, this is the gift that keeps on giving. Due to the seasonal nature of most retail businesses, the onboarding and turnover of employees and temporary workers creates a steady stream of human resources documents that are prime targets. Protecting all of the files destined to and from HR, as well as any external file sharing for collaboration, is risky but necessary, and introduces significant data protection and privacy compliance issues that the majority of enterprises recognize.

According to the 2015 State of File Collaboration Security report by Enterprise Management Associates, 75 percent of IT and Infosec professionals at mid-tier enterprises expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access. Fully half said they experience frequent instances of file data leakage. A whopping 84 percent had a moderate or total lack of confidence in their organization’s file security monitoring, reporting and policy enforcement capabilities.

Lifecycle File Protection
Retailers may have content management, email security and mobile management in place, but these controls often don’t apply after files traverse the firewall to external networks, users and devices. An employee may exchange files securely with a known supplier, but what prevents the recipient from inappropriately forwarding the file, making unauthorized modifications, or storing it on a laptop or tablet that gets lost or stolen? What happens to the files when recipients change roles or move onto another organization? Can shared files containing financial and healthcare data distributed when onboarding permanent and temporary employees be protected within and outside HR? Even internally sensitive files are often accessed or shared, where they may end up in the wrong hands.

Emerging file security solutions aimed at reducing data leakage risks caused by mistakes — e.g., the W-2 document phishing scams — or through collaboration apply strong encryption and usage controls that persist as files traverse to various external users, networks and devices. Past information rights management (IRM) solutions were costly, often tied to specific applications or infrastructure and cumbersome for IT and departmental users alike. While these IRM solutions worked well internally, they were especially challenging to enforce for users outside the organization.

The best of a class of newer solutions offer greater flexibility and usability for internal and external application, while striking a balance between IT’s need for governance and the user’s need for convenience. They support conventional file sharing mechanisms (e.g., email and network shares) as well as new cloud- and mobile-based applications.

These solutions enable very granular controls over who can access files, under what conditions and what they can do with them. Users can easily apply required controls on file viewing, editing, saving, printing and watermarking that persist for the life of the file. The file owner can even change the file security policy dynamically and delete files remotely after they've been shared. These security policy controls are enforced wherever the file goes and every time the sensitive file is opened.

This new class of file collaboration security platforms also track and store file activity, including applied controls, access attempts, policy violations and actual recipient usage, ensuring organizations protect their intellectual property and personal identifiable information while supporting regulatory compliance. They're easy for IT security teams to implement and integrate with existing applications and workflows, since the approach separates file security functions from file storage, transport and content management. Department heads can preserve user productivity and workflows, and users are ready to do their part. Seventy percent of EMA respondents answered that end users would invoke stronger security controls if empowered.

In the C-suite, executives will most appreciate that the enterprise is reducing reputation and data leakage risks, while better supporting regulatory compliance initiatives.

Easy to Deploy and Use
The beauty of this approach is that if a file containing sensitive payroll or identity information, including W-2s, is accidently shared with or exposed to an unauthorized user, lost on a laptop, or stolen in a data breach, solutions can deny access, log the attempt and even delete the file remotely. Departmental users can even apply time and file open limits. These platforms can be quickly installed as needed, by department, project or enterprisewide, and easily used by HR teams as well as external partners and contractors.

Go ahead and share that file without worrying about exposing confidential or private identity information to the wrong user. With today’s persistent file collaboration security solutions, you can protect and track sensitive files as they're shared within and outside your organization.

Scott Gordon is the COO at FinalCode, and has helped evolve security and risk assessment technologies at both innovative startups and large organizations.